| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a FILE ccache method returns an error, append the filename to the
standard message for the code. Remove code to set extended messages
in helper functions as they would just be overwritten.
Also change the interpretation of errno values. Treat ENAMETOOLONG as
KRB5_FCC_NOFILE instead of KRB5_FCC_INTERNAL, since it has an external
cause and a name that long can't be opened by normal means. Treat
EROFS as KRB5_FCC_PERM. Treat ENOTDIR and ELOOP as KRB5_FCC_NOFILE
instead of KRB5_FCC_PERM as both errors imply that the full pathname
doesn't exist. Treat EBUSY and ETXTBSY as KRB5_CC_IO instead of
KRB5_FCC_PERM as they indicate a conflict rather than a permission
issue.
[ghudson@mit.edu: renamed set_error to set_errmsg_filename; removed
now-inoperative code to set extended messages in helper functions;
trimmed changes to interpret_errno; clarified and shortened commit
message]
ticket: 8052 (new)
|
| |
|
|
|
|
|
|
|
| |
Linux 3.15 has added OFD locks, which contend with POSIX file locks
but are owned by the open file description instead of the process.
Use these in krb5_lock_file where available, for safer concurrency
behavior.
ticket: 8023 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Support the err_fmt relation in [libdefaults] which allows custom
error message formatting.
[ghudson@mit.edu: maintain alphabetical order in documentation and
reword docs; simplify err_fmt_fmt; expand commit message]
ticket: 8047 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define internal names k5_prendmsg and k5_wrapmsg and use them where we
amend error messages. This slightly changes the error message when we
fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store
credentials in a gic_opts output ccache. Adjust the test suite for
the latter of those changes.
[ghudson@mit.edu: define and use internal names for brevity; pull in
test fix from later commit; expand commit message; fix redundant
separators in LDAP messages]
ticket: 8046
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add four new public APIs for wrapping error messages:
krb5_prepend_error_message, krb5_vprepend_error_message,
krb5_wrap_error_message, and krb5_vwrap_error_message. The first two
functions are from Heimdal and allow a prefix to be added to the
existing message for a code. The latter two functions also allow the
code to be changed.
[ghudson@mit.edu: rename krb5_prepend_error_message2 to
krb5_wrap_error_message; clarify doxygen comments and put them in the
proper form; implement krb5_prepend_error_message in terms of
krb5_wrap_error_message; fix leak and null context handling in
krb5_wrap_error_message; rewrite commit message]
ticket: 8046 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implementations of fdopen() are inconsistent about the state of
the file offset after fdopen(., "a+") -- some position the stream
at the end of the file immediately (e.g., Solaris), for both reading
and writing, but others let reads occur from the beginning of the
file (e.g., glibc).
As it turns out, we only ever write to the file descriptor, not
through stdio, so opening the file with O_APPEND and using fdopen()
with "r+b" should give us sufficient append semantics, while
more portably letting the stream read from the beginning of the file.
This fixes the test suite on Solaris, a regression introduced
by commit 6979ead5e5c24ca0ec3569eb4bef48c2e5d8a726.
ticket: 8026
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When duplicate suppression was requested, we would enter an
infinite loop upon encountering a duplicate entry, a bug
introduced in commit 0918990bf1d8560d74473fc0e41d08d433da1a15
and thus present in release 1.13.
Rework the conditional to avoid the loop, at the expense of
additional indentation for some of the code.
Ticket: 8038
tags: pullup
target_version: 1.13.1
|
| |
|
|
|
|
|
|
| |
If we fail to open the cache file in fcc_initialize, we could wind up
calling close(-1) which is harmless but incorrect. Avoid this by
initializing fd and conditionalizing its cleanup.
ticket: 8026
|
| |
|
|
|
|
|
|
|
|
|
| |
gcc 4.6.3 (present in Ubuntu 12.04) is smart enough to look at
get_size and see that it does not always assign to *size_out, but not
smart enough to figure out that it always assigns to *size_out when it
returns 0. As a result, it outputs two warnings which we treat as
errors. Add an initial assignment to *size_out at the beginning of
get_size to work around this.
ticket: 8026
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove open file state from the cache handle, use stdio for reading,
use single O_APPEND writes for writing, and use O_CLOEXEC when
opening. Keep the file handle open during iteration. These changes
simplify the code, fix some concurrency issues, and reduce the
dependency on POSIX file locks. We still acquire file locks for
compatibility with older code, and in case O_APPEND writes aren't
concurrency-atomic.
Helper functions change as follows:
* open_cache_file yields a stdio handle, and only opens and locks.
* close_cache_file takes a stdio handle.
* read_header (new) reads the file header and yields a version.
* invalidate_cache and fcc_lseek are no longer needed.
* get_size, read_bytes, and load_bytes operate on a stdio handle.
* read32, read16, load_data, load_principal, and load_cred operate on
a stdio handle and version.
* write_bytes, store32, store16, and store_principal are no longer
needed.
fcc_initialize now takes responsibility for writing the header and
default client principal, using a single write.
ticket: 8026 (new)
|
| |
|
|
|
|
|
|
| |
The FILE ccache type maintains a global reference-counted table of
handles, which is perhaps an imperfect workaround for POSIX
per-process file locks. Remove this table, since we plan to maintain
read fds in cursors and use O_APPEND writes to render locking less
important.
|
| |
|
|
|
|
|
| |
Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when
we iterate over ccaches.
ticket: 7804
|
| |
|
|
|
|
| |
Stop processing the KRB5_TC_OPENCLOSE flag in cc_file.c; always reopen
the file instead. This will be replaced with more efficient cursor
handling. Also remove some unused KRB5_TC_OPENCLOSE macros in scc.h.
|
| |
|
|
|
|
|
|
| |
Expand out MAKE_CODEC macro invocations into MAKE_ENCODER and
MAKE_DECODER invocations, so that the defined function names appear in
the macro calls. This makes it easier to find the function
definitions using grep, although one still has to look up the macro to
see what it does.
|
| |
|
|
|
|
|
|
|
| |
In copy_creds_except, call krb5_cc_end_seq_get so we don't leak the
ccache cursor.
ticket: 8029 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
ticket: 8028 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free. Using malloc
can cause heap corruption on Windows. This bug was masked by #1445
before 1.12.
ticket: 8024 (new)
target_version: 1.13.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE description and CVSS score]
ticket: 8018 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross@redhat.com>.
ticket: 8017 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
ticket: 3498
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Both lcc_resolve() and lcc_get_principal() were using GetMSTGT()
to fetch a ticket from which to obtain the client principal name
of the credentials cache. However, that name is contained in
the results of the the cache information query; there is no need
to retrieve a full ticket of any sort to get it. Since there
may sometimes be difficulties obtaining a TGT when UAC is enabled,
avoid these unneeded calls.
ticket: 7989
|
| |
|
|
|
|
|
|
|
| |
All the callers of UnicodeStringToMITPrinc() were already converting
a UnicodeString into a wchar* just to pass it in as the realm.
Simplify everyone's life by making the helper do the conversion.
ticket: 7989
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We don't care about XP versus non-XP; just indicate which
revision of the data type is being used.
Standardize on the lowercase 'x' in "Ex", for both the "Ex" and
"Ex2" forms.
While here, adjust the function definition prototypes to match
current style.
ticket: 7989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove PreserveInitialTicketIdentity() and IsKerberosLogon(), as well
as the preprocessor conditionals ENABLE_PURGING and PURGE_ALL, which
have not been used in a very long time, if ever.
There was one potential callsite of IsKerberosLogon(), in
lcc_resolve(), which was disabled. It is perfectly reasonable to want
to use the MSLSA cache on a non-domain-joined workstation, as it is
now a read-write cache type, so we need not concern ourselves whether
the logon was performed or may have been performed using kerberos.
ticket: 7989
|
| |
|
|
|
|
|
|
|
| |
The function does_query_ticket_cache_ex2() will not be needed once
Windows Server 2003 drops out of support in approximately one year's
time. Note the doom timer at its definition, to facilitate future
cleanup.
ticket: 7989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is safe to remove is_windows_2000(), is_windows_xp(), and
is_windows_vista(), since the former two only check for very old
versions of windows which are no longer supported, and
is_windows_vista() was unused. Note that the check being implemented
was whether the running OS was the named version or higher, not an
exact match. The current Microsoft documentation recommends against
the sort of OS version checks that were employed here, in favor of
explicit feature tests.
Remove is_broken_wow64() as the problem it works around (Microsoft
Article ID 960077) is believed to have been fixed in subsequent
updates to Windows Server 2003 and XP.
Remove does_retrieve_ticket_cache_ticket() since support for the
KERB_RETRIEVE_TICKET_CACHE_TICKET flag in the
KERB_RETRIEVE_TKT_REQUEST structure was added in service packs for
Windows Server 2003 and XP. Also remove buildtime fallbacks that
are no longer needed.
Remove the conditionals TRUST_ATTRIBUTE_TRUST_USES_AES_KEYS,
HAVE_CACHE_INFO_EX2, and KERB_SUBMIT_TICKET as all current SDK
versions have the relevant functionality.
In all cases, de-indent chunks that are no longer conditional.
Where indentation levels changed, update the style of the reindented
code to current practices.
ticket: 7989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache. The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors). However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).
Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it. This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.
ticket: 8000 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to call scan_ccache() in order to notice that there
are credentials and read their expire time.
The call to scan_ccache() in the Leash case was inadvertently
removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd.
ticket: 7998 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll tries to get initial creds even when some are present
|
| |
|
|
|
|
|
| |
Now that add_key_rnd isn't looking up the TGT principal entry, it
could use retval before initializing it if the loop runs for zero
iterations. Get rid of the add_key_rnd label (as it no longer does
anything) and just return 0 after the loop ends.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In add_key_rnd, stop looking up the krbtgt DB entry; we have not used
it since 1.1.
Use copy_key_data in add_key_rnd and add_key_pwd.
krb5_dbe_crk, krb5_dbe_ark, krb5_dbe_def_cpw, and krb5_dbe_apw all
contained similar logic. Consolidate all of them into a static helper
function which does the work of all four. The ark/apw variants had
slightly different behavior then crk/cpw with keepold=true, so
introduce a three-value enum to express all three behaviors.
|
| |
|
|
|
|
|
|
|
|
|
| |
When we are preserving old key data in kdb_cpw.c, ensure that it is
encrypted with the same master key as the new key data. This ensures
that the KRB5_TL_MKVNO tl-data on the principal entry applies to all
of the key data, not just some of it.
ticket: 7995
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
| |
Commit 956cbd24e645609c94fbc836840ce0f87ba3ce79 created a memory leak
if the KCM_OP_GET_DEFAULT_CACHE call fails inside kcm_ptcursor_new
after the KCM_OP_GET_CACHE_UUID_LIST call succeeds. Fix it.
ticket: 8002
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The KCM per-type cursor was too simplistic and did not obey the
conventions of the other ccache types. Fix it to return a singleton
cursor when the default cache is a subsidiary and to return the
primary cache first.
For internal convenience, make_cache now accepts a context parameter
and creates a kcmio if necessary.
ticket: 8002 (new)
target_version: 1.13
|
| |
|
|
|
|
|
|
|
|
| |
In lib/kadm5/logger.c:krb5_klog_init(), if the configuration requests
STDERR logging, call fdopen() using mode "w" instead of "a+", to avoid
errors when stderr happens to be opened for write only.
ticket: 8001 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
It was added in commit 0d04b60d159ab83b943e43802b1449a3b074bc83, but
was not added to the library export symbol list, and thus was unusable
on systems that enforced library export lists.
ticket: 8003 (new)
tags: pullup
target_version: 1.13
|
| |
|
|
|
|
|
|
|
|
| |
In kadm5_randkey_principal_3, after updating the principal's keys,
update its mkvno tl-data to indicate the master key version we
encrypted the new keys with.
ticket: 7994
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.
[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]
ticket: 7975
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When we use krb5_cc_new_unique to create a new cache in a directory
cache collection, we will fail if the directory doesn't exist yet.
Go ahead and preemptively create it, as we do during krb5_cc_resolve,
before attempting to create a new file under it.
ticket: 7988 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:
* The token included the GSS_C_DELEG_FLAG but did not include at least
28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
exchange was performed.
Fix both of these cases.
ticket: 7987 (new)
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure. Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.
ticket: 7981
|
| |
|
|
|
|
|
| |
Commit 58312ae8beb0499ac3a06196164eb833e9f8975e, "Fix the build on
windows", had a typo that broke the build of KCM support on OS X.
Attempt to increment the cardinality of the set of buildable platforms,
instead of just adjusting its contents, by fixing the typo.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows. (It would never have been called, anyway.)
Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.
Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.
Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.
The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.
Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
|
| |
|
|
|
|
| |
ticket: 7982 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now that an iprop full dump might not hold a lock around the entire
dump, it's possible that iprop will queue an incremental update while
the dump is in progress. If a principal is deleted while the dump is
in progress, the dump could omit that principal, yet the deletion
event would still be queued in the ulog. Ignore that deletion without
generating an error.
This is the same basic change as for ticket #7753.
ticket: 7977
|
| |
|
|
|
| |
ticket: 7977 (new)
subject: Enable unlocked KDB iteration
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new credential cache type "KCM" which performs cache operations
by speaking to a Heimdal or OS X KCM daemon, via either Unix domain
sockets or (on OS X only) Mach RPC. Add "kcm_socket" and
"kcm_mach_service" profile variables to control the socket path and
bootstrap service name respectively. In ccmarshal.c, add
k5_marshal_mcred to marshal matching credentials in the KCM protocol
representation.
This cache type is not currently supported on Windows, as Windows does
not support Unix domain sockets.
As with the keyring cache type, the lastchange method of this cache
type is mostly useless, reporting only the time of the last change
made through that cache handle. The KCM protocol currently has no
support for obtaining the last change time of the cache itself.
ticket: 7964 (new)
|
| |
|
|
|
|
| |
Make k5_marshal_cred and k5_marshal_princ write to an existing struct
k5buf instead of allocating a new one, so that they can be marshalled
before or after other data.
|
| |
|
|
|
|
|
|
| |
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech. When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.
Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.
ticket: 7974 (new)
|
